Skip to main content

Departmental Databases

Volume 475: debated on Wednesday 14 May 2008

To ask the Secretary of State for Health what audits his Department and its agencies have carried out in relation to personal data and IT equipment in each of the last 10 years. (176479)

Information on audits is held for the Department and its agencies, NHS Purchasing and Supply Agency (NHS PASA) and Medicines and Healthcare products Regulatory Agency (MHRA), as follows:


Data Protection Act—2001;

BS7799 (now ISO 27001)—every six months from the end of 2002 to November 2007;

System Security In Departmental Information Technology (IT) Applications—2004;

Freedom of Information—2006

Information Security—2007


The Agency was created in 2000 and since inception has been audited annually on all matters of governance including information security and data protection.

Since 2001 it has been audited twice yearly by British Standards Institute to ensure compliance with IS027001.

The most recent audit was in January 2008.

In addition the security of personal data is particularly emphasised in all audits.


2002-03 (pre-MHRA)—Data Protection Act and Systems Security;

2003-04—Assets and Inventories (including IT equipment);

2004-05—Information Management;

2005-06—Freedom of Information and IT Security;

2007-08—Assets and Inventories (including IT equipment) and IT Core Controls.

NHS Connecting for Health

The personal data of staff employed by NHS Connection for Health are managed under direction of the Secretary of State for Health by the NHS Business Services Authority. Data Protection is managed by them in accordance with the Data Protection Act.

Mobile devices are audited on an annual basis—based on financial year. Audits begin in January and conclude in March.

The ongoing audit of servers and network equipment, including both hardware and software is undertaken every three months as a consolidation exercise is in progress. Once the consolidation is complete, the audit will take place every six months and take approximately two weeks to complete.

Clear desk audits are carried out quarterly in every building to ensure compliance to physical security of IT equipment.

PC hardware is audited on an annual basis—based on financial year. Audits begin in January and conclude in March.

First Information Security Audit—completed October 2007.